HylaFAX security advisory 4 Jan 2006
Subject: HylaFAX hfaxd and notify/faxrcvd vulnerabilities
HylaFAX is a mature (est. 1991) enterprise-class open-source software package for sending and receiving facsimiles as well as for sending alpha-numeric pages. It runs on a wide variety of UNIX-like platforms including Linux, BSD (including Mac OS X), SunOS and Solaris, SCO, IRIX, AIX, and HP-UX. See http://www.hylafax.org
Problem Descriptions and Impact:
Only HylaFAX version 4.2.3 is vulnerable.
This vulnerability was mentioned by Dileep <email@example.com> on the hylafax-users mailing list on December 12, was picked up and confirmed by Lee Horward and a fix was provided the same day by Todd Lipcon. The fix was committed to CVS-HEAD on December 15.
This hfaxd PAM vulnerability has been assigned CVE-2005-3538
HylaFAX versions 4.2.0 up to 4.2.3 are vulnerable. Prior version used a awk notify script that was not vulnerable. This vulnerability was discovered and fixed by Patrice Fournier of iFAX Solutions, Inc.
HylaFAX faxrcvd script also passes unsanitised user-supplied data to eval, allowing remote attackers to execute arbitrary commands. CallID (CIDName/CIDNumber) must be configured on the server and the attackers must have access to submit non alphanumeric characters as CallID data (which may not be possible for most configuration) in order to exploit this vulnerability.
HylaFAX versions 4.2.2 and 4.2.3 are vulnerable. Prior version didn't support a variable number of CallID parameters. These vulnerabilities were discovered and fixed by Patrice Fournier of iFAX Solutions, Inc. The fix was committed to CVS-HEAD on January 4.
These script vulnerabilities have been assigned CVE-2005-3539
HylaFAX.org has released HylaFAX version 4.2.4 which includes changes to fix each of these problems. All HylaFAX users are strongly encouraged to upgrade. The HylaFAX 4.2.4 source code is available at
In the event that upgrading to 4.2.4 is not appropriate, the patches to fix those vulnerabilities are available at the following bug reports:
If PAM support is NOT enabled and upgrading or patching is not possible, firewalling techniques restricting access to port 4559 are strongly encouraged. As the patches to faxrcvd and notify are simple changes to shell scripts, you should apply those patches in either case.
No abuse of these vulnerabilities is known to HylaFAX development.
The vendor-sec mailing list was notified on 21st December, and HylaFAX CVS-HEAD was updated on 15 December for the PAM-disabled login vulnerability and on 4 January for the other two vulnerabilities.
Patrice Fournier HylaFAX developer